Hacking a phone's fingerprint sensor in 15 mins with $500 worth of inkjet printer and conductive ink

MSU Computer Science researchers Kai Cao and Anil K Jain published a new paper describing a <$500 method for using a 300dpi scan of a fingerprint (which can be captured from a fingerprint sensor itself) to produce a working replica printed with conductive ink fed through a normal inkjet printer, in a procedure that takes less than 15 minutes.

Biometric identifiers are the new hotness in information security, but have significant deficits as authentication tokens, including the fact that biometrics are intrinsically leaky (you reveal your retinas by looking at things and your gait by walking, and shed DNA and leave fingerprints behind everywhere you go) and they can't be revoked once they leak (you can't get new fingerprints when griefers dump your existing ones on the Internet).

People have been hacking fingerprint sensors with gummi bears for more than a decade. In 2013, researchers from the Chaos Computer Club (which had previously dumped 10,000 copies of a scan of the fingerprints of a German government official who'd pushed for biometric ID cards) showed they could create working fake fingers out of gummi that unlocked Iphones, developing a good generalised critique of fingerprint readers in the process.

Fingerprint readers have a legal deficit in the USA, too: though the Fifth Amendment protects people in the USA from being compelled to reveal their phones' unlock codes, it does not prevent the police from forcing you to use your fingerprint to unlock your device (the logic being that the Fifth prevents the compelled disclosure of something you know, but not the compelled production of something you have, including your fingerprints).

The MSU researchers' attack on fingerprint readers worked well on various Samsung phones, and less well on some Huawei phones. However, this is preliminary work; with further research the pair may well discover tunings and optimizations for each sensor's idiosyncrasies.

In summary, we have proposed a simple, fast and effective method to generate 2D fingerprint spoofs that can successfully hack built-in fingerprint authentication in mobile phones. Furthermore, hackers can easily generate a large number of spoofs using fingerprint reconstruction [3] or synthesis [4] techniques which is easier than 2.5D fingerprint spoofs. This experiment further confirms the urgent need for antispoofing techniques for fingerprint recognition systems [5], especially for mobile devices which are being increasingly used for unlocking the phone and for payment. It should be noted that not all the mobile phones can be hacked using proposed method. As the phone manufactures develop better anti-spoofing techniques, the proposed method may not work for the new models of mobile phones. However, it is only a matter of time before hackers develop improved hacking strategies not just for fingerprints, but other biometric traits as well that are being adopted for mobile phones (e.g., face, iris and voice).

Hacking Mobile Phones Using 2D Printed Fingerprints [Kai Cao and Anil K. Jain/Department of Computer Science and Engineering, Michigan State University]

(via /.)

Start the discussion at bbs.boingboing.net